Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-3857

Summary
Assigner-AMZN
Assigner Org ID-ff89ba41-3aa1-4d27-914a-91399e9639e5
Published At-21 Apr, 2025 | 15:13
Updated At-21 Apr, 2025 | 15:41
Rejected At-
Credits

Infinite loop condition in Amazon.IonDotnet

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. Users should upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:AMZN
Assigner Org ID:ff89ba41-3aa1-4d27-914a-91399e9639e5
Published At:21 Apr, 2025 | 15:13
Updated At:21 Apr, 2025 | 15:41
Rejected At:
▼CVE Numbering Authority (CNA)
Infinite loop condition in Amazon.IonDotnet

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. Users should upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.

Affected Products
Vendor
Amazon
Product
Amazon Ion Dotnet
Default Status
unaffected
Versions
Affected
  • From 0 before 1.3.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-835CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-835
Description: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-153CAPEC-153 Input Data Manipulation
CAPEC ID: CAPEC-153
Description: CAPEC-153 Input Data Manipulation
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://aws.amazon.com/security/security-bulletins/AWS-2025-009/
vendor-advisory
https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj
third-party-advisory
Hyperlink: https://aws.amazon.com/security/security-bulletins/AWS-2025-009/
Resource:
vendor-advisory
Hyperlink: https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ff89ba41-3aa1-4d27-914a-91399e9639e5
Published At:21 Apr, 2025 | 16:15
Updated At:23 Apr, 2025 | 14:08

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the binary format. If the Ion data is malformed or truncated, this triggers an infinite loop condition that could potentially result in a denial of service. Users should upgrade to Amazon.IonDotnet version 1.3.1 and ensure any forked or derivative code is patched to incorporate the new fixes.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-502Secondaryff89ba41-3aa1-4d27-914a-91399e9639e5
CWE-835Secondaryff89ba41-3aa1-4d27-914a-91399e9639e5
CWE ID: CWE-502
Type: Secondary
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
CWE ID: CWE-835
Type: Secondary
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://aws.amazon.com/security/security-bulletins/AWS-2025-009/ff89ba41-3aa1-4d27-914a-91399e9639e5
N/A
https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pjff89ba41-3aa1-4d27-914a-91399e9639e5
N/A
Hyperlink: https://aws.amazon.com/security/security-bulletins/AWS-2025-009/
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Resource: N/A
Hyperlink: https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-gm2p-wf5c-w3pj
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

255Records found
CVE-2021-20041
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.57%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 09:55
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated and remote adversary can consume all of the device's CPU due to crafted HTTP requests sent to SMA100 /fileshare/sonicfiles/sonicfiles resulting in a loop with unreachable exit condition. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Action-Not Available
Vendor-SonicWall Inc.
Product-sma_410_firmwaresma_210sma_410sma_400_firmwaresma_210_firmwaresma_500v_firmwaresma_500vsma_200_firmwaresma_200sma_400SonicWall SMA100
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2021-1252
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.51% / 65.53%
||
7 Day CHG~0.00%
Published-08 Apr, 2021 | 04:25
Updated-08 Nov, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clam AntiVirus (ClamAV) Excel XLM Parser Denial of Service Vulnerability

A vulnerability in the Excel XLM macro parsing module in Clam AntiVirus (ClamAV) Software versions 0.103.0 and 0.103.1 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper error handling that may result in an infinite loop. An attacker could exploit this vulnerability by sending a crafted Excel file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process hang, resulting in a denial of service condition.

Action-Not Available
Vendor-ClamAVCisco Systems, Inc.
Product-clamavClamAV
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2020-35488
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-10.82% / 93.08%
||
7 Day CHG~0.00%
Published-05 Jan, 2021 | 14:03
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

Action-Not Available
Vendor-nxlogn/a
Product-nxlogn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-35139
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.19% / 41.45%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in OFPBundleCtrlMsg in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

Action-Not Available
Vendor-facuetn/a
Product-ryun/a
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2022-2833
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.47% / 63.46%
||
7 Day CHG~0.00%
Published-16 Aug, 2022 | 19:24
Updated-03 Aug, 2024 | 00:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Endless Infinite loop in Blender-thumnailing due to logical bugs.

Action-Not Available
Vendor-n/aBlender Foundation
Product-blenderBlender
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found